CVE-2026-48752 Sumo Logic CSE · Sumo

Detect Incus Arbitrary File Read/Write via Malicious Image Template Symlink in Sumo Logic CSE

CVE-2026-48752 is a critical vulnerability (CVSS 9.9) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. A malicious container image can include a crafted symlink within the templates/ directory that, when processed by incusd during image import or container creation, allows an attacker to read or write arbitrary files on the host filesystem. This constitutes a container escape primitive with host takeover potential. A public proof-of-concept exists.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Lateral Movement

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=linux/syslog OR _sourceCategory=linux/audit OR _sourceCategory=containers/incus
| where _raw matches "(?i)incusd"
| where (
    (_raw matches "(?i)templates/" and _raw matches "(?i)(symlink|readlink|lstat|open)")
    or _raw matches "(?i)(path escape|chroot escape|container image import)"
    or (_raw matches "(?i)incusd" and _raw matches "(?i)(/etc/|/root/|/proc/|/sys/)")
  )
| parse regex "(?P<timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2})"
| parse regex "pid=(?P<pid>\\d+)" nodrop
| parse regex "file=(?P<file_path>[^\\s]+)" nodrop
| count by _sourceHost, file_path, _raw
| sort by _count desc
| fields _sourceHost, file_path, _count, _raw
critical severity medium confidence

Sumo Logic query detecting CVE-2026-48752 exploitation patterns by correlating incusd log events involving template directory access, symlink operations, and host filesystem access outside container boundaries.

Data Sources

Linux SyslogLinux AuditContainer logs

Required Tables

linux/sysloglinux/auditcontainers/incus

False Positives & Tuning

  • Legitimate Incus image import operations on systems running older but patched custom builds
  • CI/CD pipelines building and importing Incus images as part of automated test infrastructure
  • Incus cluster synchronisation operations that traverse image metadata directories

Other platforms for CVE-2026-48752

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Incus Image with Template Symlink Pointing to /etc/passwd

    Expected signal: incusd process accessing /etc/passwd via symlink resolution from templates/ directory; auditd SYSCALL records for readlink/open by incusd PID targeting /etc/passwd

  2. Test 2Exploit Incus Template Symlink for Arbitrary Host File Write

    Expected signal: incusd creating or writing to /tmp/incus-host-write-target via symlink from templates/; FileWriteInfo events for incusd outside container directories

  3. Test 3Scan Incus Image Store for Existing Malicious Template Symlinks

    Expected signal: Read-only filesystem traversal of /var/lib/incus/images by the scanning shell process; no incusd involvement expected

Last updated: 2026-06-27 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-48752 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0008Lateral Movement

Related Techniques

T1611Escape to HostT1083File and Directory DiscoveryT1565Data ManipulationT1195Supply Chain Compromise

Same Tactic: Privilege Escalation

Popular Detections